back to article It's 2017 and Hyper-V can be pwned by a guest app, Windows by a search query, Office by...

Microsoft has released the August edition of its Patch Tuesday update to address security holes in multiple products. Folks are urged to install the fixes as soon as possible before they are exploited. Among the flaws are remote code execution holes in Windows, Internet Explorer/Edge and Flash Player, plus a guest escape in …

  1. DougS Silver badge

    Microsoft has a bumper crop

    Yet Adobe STILL manages to beat them with the bugs in just one product...and that one product isn't even Flash! Do Adobe hire their programmers out of Trump University or something? How do they have such consistently shit code??

    1. Electron Shepherd

      As a wise man once said...

      "All repairs tend to destroy the structure, to increase the entropy and disorder of the system. Less and less effort is spent on fixing the original design flaws; more and more is spent on fixing flaws introduced by earlier fixes. As time passes, the system becomes less and less well-ordered. Sooner or later the fixing ceases to gain any ground. Each forward step is matched by a backward one. Although in principle usable forever, the system has worn out as a base for progress."

      Frederick P. Brooks, The Mythical Man-Month

      1. TReko

        Re: As a wise man once said...

        Indeed - I wonder is MS has tested this stuff in detail.

        We tend to spend a bit of time after every patch Tuesday helping users get stuff working again.

        A patch here and a patch there and soon you have more duct tape than original product.

      2. Anonymous Coward
        Anonymous Coward

        The Mythical Man Month - legit free download

        F.P. Brooks' The Mythical Man Month should still be compulsory reading even if some of the references are a bit dated (microfiche?).

        To make that even simpler, there is (obviously) the Wikipedia article

        https://en.wikipedia.org/wiki/The_Mythical_Man-Month

        Or go direct to an apparently legitimate free download of the First Edition, which was published in 1975, and apparently many people still don't "get it".

        https://archive.org/details/mythicalmanmonth00fred

        1. Stephen Wilkinson

          Re: The Mythical Man Month - legit free download

          It was required reading on my degree course over twenty years ago

          1. AMBxx Silver badge
            Thumb Up

            Re: The Mythical Man Month - legit free download

            I loved the passing reference to a friend working on 'Arpanet'. He througt it might be important!

    2. bombastic bob Silver badge
      Meh

      Re: Microsoft has a bumper crop

      "Do Adobe hire their programmers out of Trump University or something?"

      <facepalm /> <downvote />

      "How do they have such consistently shit code??"

      it's probably a combination of:

      a) management/policy deficiencies

      b) 'original design' flaws

      c) arrogant coders

      d) closed source [so nobody can see how crappy it really is]

      I wonder what the typical "function call depth" is... and how many files you have to look through to find out what XXX does. [and whether classes/objects muck with each others' storage, or if garbage collection is being relied upon instead of proper reference count based object freeup, etc..]

  2. J. R. Hartley Silver badge

    What a time to be alive

  3. W. Anderson

    Past time for Microsoft

    Recently several companies in Canada were evaluating virtualization solution for their Cloud based applications integration and Microsoft sang praises of their Hyper-V over other more established solutions in regard reliability, security, scalability and flexibility, which , as this Patch Report and several security bulletins have shown to be totally rubbish sales propaganda.

    KVM and Xen used for several high end virtualization projects in funded University projgrams and small Petroleum Trading corporations have consistently proven superior to Hyper-V in every case, so it seem ridiculous that any sane technology user would choose Hyper-V instead.

  4. Anonymous Coward
    Windows

    Thanks Mr Nutella!

    Every day, in every way, MSFT products get better and better :)

    1. J. R. Hartley Silver badge

      Re: Thanks Mr Nutella!

      Nutella did a whoopsie in my beret.

  5. John Smith 19 Gold badge
    Coat

    "Those flaws allow a specially crafted webpage or Office document"

    IIRC "Find out what the spec says and do every variation of it that's not correct" is straight out of the Black Team playbook.

    Mine's the one with a well thumbed copy of "Peopleware" in the pocket.

    1. Anonymous Coward
      Anonymous Coward

      Re: a well thumbed copy of "Peopleware" in the pocket.

      Heard of it, not yet read it.

      But I have heard of "defensive programming" and sometimes I even do it.

      Have today's "thought leaders" and their followrs forgotten about that kind of stuff?

  6. Anonymous Coward
    Meh

    Products have flaws,,,,

    ,,,products need patching.

    Move on.

    Show me a major OS that doesn't ever need patching and I'll ride the rainbow unicorn to visit it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Products have flaws,,,,

      and yes indeed therefore products need patching.

      But there are questions of quantity and and impact to be considered. This isn't about aiming for "zero defect" software and systems (where a defect can be either a non-conformance to specification, or unwanted behaviour that has unwanted consequences, maybe other stuff too). It's about shipping products that are fit for purpose, give or take the odd rapidly-fixed issue here and there. Regardless of supplier.

      Enjoy your patching. But personally I know a lot of folks that would just like Stuff That Works. On time, all the time.

      1. Anonymous Coward
        Anonymous Coward

        Re: Products have flaws,,,,

        So show me a OS that does that?

        1. hplasm Silver badge
          Gimp

          Re: Products have flaws,,,,

          "So show me a OS that does that?"

          You keep saying that, over and over, and yet the Windows turd remains unpolished.

  7. Anonymous Coward
    Anonymous Coward

    is my server team behind?

    One of the SQL servers I work with seems desperate to install some updates, it keeps telling me when I rdp it - as if its a home computer . I'd have thought those messages would be surpressed and wsus or sccm would do the whole deal . Maybe its cos its a server and I'm I.T. that the message is still there and all is in fact well - updates are being chosen , tested , approved , whatever and deployed.

    I did infact email 'them' to check im not supposed to be doing it and they say "nope , we got it under control..."

    Now in the update history the last update is :

    "Update for Windows Server 2008 R2 x64 Edition (KB3177467)" on 14/05/2017

    are we behind?

  8. Florida1920

    Complex systems

    Patch Tuesday is turning into a monthly ritual of abuse (legitimately) directed at certain software manufacturers. What has changed over the years?

    From my early days I remember a metric called Mean Time Between Failures (MTBF). It was somehow related to the number of components (resistors, capacitors, tubes/valves (at the time)). The more components, and the more of certain types, the shorter the MTBF.

    It's not unreasonable to expect complex software inherently to be vulnerable to malicious students of the code. It's a learning curve. Software developed today may be less vulnerable as a result. For example, personal computers today are more reliable, as a result of better cooling, and the move to SSDs and away from mechanical hard drives. Solid-state displays outlast CRTs.

    Writing new software that does what the old software did, but is less vulnerable, costs money. A corporation will make more money coming out with new applications than totally replacing what's already out there. Patches are more cost-effective. That is the bottom line.

    Hardware and software have improved over time. What hasn't improved, IMO, is the level of user competence. It's a training thing. After all these years, seemingly well-educated people in jobs that otherwise require intelligence, are still clicking on phishing links!

    It's well and proper to kvetch about Adobe and Microsoft, but the focal point of all security problems is the user. To use an analogy, we've built safer cars, but if the users drive recklessly and don't wear their seat belts, they're still likely to get killed in an accident. So we train people to be sensible behind the wheel, and enforce seat-belt laws. I'm not saying we need civil laws to regulate what you do at the keyboard, but there's precious little public discussion of what not to do. Ransom-ware attacks make headlines; what's rarely mentioned in the news is that if people didn't open the infected files, such attacks would fail. When a malware attack has the potential of some recent events, it seems akin to a public-health issue.

    Shame on Adobe, MS and others for continuing to flog busted code. That said, we've chosen to have capitalist economies where we shouldn't expect better. We can, however, do something to mitigate the potential harm. El Reg and others dutifully report on the subject. Unfortunately, your Aunt Millie probably never reads them.

    Sure, it's unfair to blame users for malware and vulnerable but popular applications. But stuff happens. Malware and vulnerable software are facts. We should complain and we should try to eliminate both. But the buck (pound, euro) stops at the user interface. That's where we're not putting enough resources, IMO.

    1. Anonymous Coward
      Anonymous Coward

      Re: buck stops at the user inteface

      "the buck (pound, euro) stops at the user interface. That's where we're not putting enough resources, IMO."

      You make a selection of excellent points, but I'm not sure that's such a good one.

      There's a *lot* of poorly designed poorly coded poorly implemented InterwebOfTat stuff out there, and there's going to be more in a while.

      Probably quite soon there'll be more IoT stuff than there is desktop and mobile "PC" stuff. The IoT stuff typically doesn't have much in the way of a user interface, but it seems to be just as defective in security terms, just as exploitable, maybe even more so, than your typical "PC" stuff, despite the IoT stuff having only a tiny fraction of the capabilities of modern "PC-class" boxes.

      What's the answer to them, where there is no UI because there is no user in the traditional way?

      The answer to something with no user and no need for a UI isn't investing in UI, it's got no users as such so user education doesn't really help either. Part of the answer *might be* product liability legislation which exists already, but for some reason seems to be considered irrelevant to stuff with software in it.

      If it's more profitable to ship defective by design tat than it is to ship decent stuff, which will most designers and manufacturers choose?

      Sometimes there are exceptions:

      https://www.theregister.co.uk/2016/12/01/ucam247_responds_most_cams_not_vulnerable_to_get_vuln/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020